A day in the life: intelligence-driven threat hunting
A day in the life: intelligence-driven threat hunting
At Atos, we always strive to find new ways to address the security threats our clients face. We are focusing our efforts on hunting for tooling and Tactics, Techniques and Procedures (TTPs) which is a better way to identify security threats than simply relying on automatic detection of indicators from security appliances. The TTP method enables clients to adopt a proactive approach to digital security and search the network for malicious activity that could have gone unnoticed by security controls.
As a threat hunter in Atos, I combine my threat intelligence and threat hunting experience to detect, isolate and neutralize security threats faced by our clients. Our teams have substantial knowledge of anticipating and remediating security threats that we utilize to detect malicious activity across appliances present in the environment.
“The right mindset for a threat hunter is to assume that the breach has already occurred, and artifacts are to be found on investigated systems.”
Operational threat intelligence 101
To start, let’s present the basics of Atos’ operational threat intelligence – we analyze data on malicious activities to help clients create a proactive strategy to defend against security threats.
Our teams gather operational threat intelligence by researching the malicious activity and analyzing the tooling, techniques and procedures, which helps us reconstruct the intrusion’s kill-chain. Rebuilding the kill-chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks. The best source for such an analysis is the internal data on intrusions gained during incident response efforts. We rely on this data because it is free, always relevant to the organization, and is based on adversarial activities.
By collecting data from incident responses, Atos’ intelligence team can analyze and categorize the activity, start discreetly tracking relevant activity groups and inform the organization about ongoing threats.
Eventually, the information gathered is transformed into strategic intelligence, informing a client’s stakeholders about the threat landscape affecting their organization. This strategic intelligence enables organizations to focus on business risks and create a long-term digital security strategy.
An example of malicious activity
Below is an illustration of an intelligence-driven threat hunting workflow, where we utilize our threat hunting experience on malicious activity to detect similar threats within the environment. The following table represents a sample malicious activity aiming to use a spear-phishing email to deliver an espionage implant and exfiltrate valuable data:
Hunting efforts can start with simple use cases such as checking a known command and control (C2) server’s IP address against available connection logs. However, since the data is available for a very short time, these indicators are not adequate for the defenders. The real hunting begins when we focus on the behavioral indicators such as specific procedures and techniques used to achieve a goal
After identifying TTPs used and the data trail left by a security incident, we can arrive at the following conclusion:
• This informs us about the expected persistence mechanism.
• It also helps establish how such a procedure will look in the available data sources — whether in centralized system information and event management (SIEM) logging, or in data from host-based extended detection and response (XDR) sensors
• From a network traffic logging perspective, we can look for both HTTP methods with the known user-agent string used by the threat actor and correlate this with activity on ports between 8000 and 9000
• Our analysis may reveal that the cybercriminal’s phishing email infrastructure in Poland, but the email is masked with a .us top-level domain (TLD). Therefore, we can conclude that email originating from IP addresses geolocating in Poland with a mismatched TLD are potential phishing emails. From there, email logs can be analyzed to confirm the findings and track other phishing messages.
“The adversary will persistently attempt to create accounts ending with the ‘$’ character, preventing the account from being displayed by the net user command.”
Threat hunting for better cybersecurity strategies
Integrating threat hunting capabilities to the businesses through a plan-do-check-adjust (PDCA) method can improve strategic intelligence. Additionally, it will help C-level executives prioritize an organization’s defense against cyber threats, create an informed cybersecurity strategy and align investments.
Threat hunting aims to uncover an earlier unknown activity. Therefore, to enable comprehensive digital security, threat intelligence, threat hunting and incident response should ideally work together in a cycle. The verification of hypotheses can result in the need to engage in incident response again, and the data collected by responders can be analyzed by the intelligence team, thus closing the loop.
Threat hunting can be a gratifying activity. It aims to transform defense into offense, which forces adversaries to keep adjusting TTPs, which increases their chance of making a mistake and ultimately thwarting their efforts. It takes only a single error on the threat actor’s part to trigger an alert or engage in activity detected by threat hunting. The activity will then be escalated to incident responders who can stop adversaries from achieving their objective.
About the author
Kamil Bojarski
Senior CERT Engineer
Kamil Bojarski works as a Senior CERT Engineer in Atos CERT where on daily basis he is responsible for threat hunting and threat intelligence operations. His research interests are focused on counterintelligence aspects of information security, activity of eastern APT groups and modern investigative techniques used by government agencies. He holds an Advanced Memory Forensics and Threat Detection as well as Cyber Threat Intelligence certification from SANS Technology Institute, CompTIA Security+ Certification, and GIAC Cyber Threat Intelligence certification, among others. He is a member of GIAC Advisory Board and Secretariat of the Cambridge International Symposium on Economic Crime.
Interested in next publications?
Register to our newsletter and receive a notification when there are new articles.